Uber Expands Settlement With US FTC Related to Cyberattack

The FTC said the expansion of the proposed settlement comes after the commission learned Uber had failed to disclose a "significant" breach of consumer data that occurred in 2016 affecting nearly 50 million U.S. riders.

The U.S. Federal Trade Commission said on Thursday the ride-hailing company Uber Technologies had agreed to expand its proposed settlement with the agency over charges it deceived consumers about its privacy and data security practices. The FTC said the expansion of the proposed settlement comes after the commission learned Uber had failed to disclose a "significant" breach of consumer data that occurred in 2016 affecting nearly 50 million U.S. riders and compels Uber to disclosure future incidents.

The settlement does not impose any fines but said Uber could face civil penalties if it fails to disclose future incidents. The FTC said Uber in November 2016 learned that intruders had again accessed consumer data the company stored on its third-party cloud provider’s servers but did not disclose the incident for a year. The company said it had no evidence of fraud tied to the data breach. The FTC said intruders used the access key to download from Uber’s cloud storage unencrypted files containing more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders.

"After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen Ohlhausen. "The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future." The FTC noted that Uber failed to disclose the breach immediately, even after it paid the intruders $100,000 through its third-party “bug bounty” program.

The new FTC order requires Uber to retain records related to bug bounty reports regarding some vulnerabilities. In November 2017, Uber Chief Executive Officer Dara Khosrowshahi disclosed the data breach that affected 57 million people around the world and said the two individuals who led the response were no longer with Uber. Uber Chief Legal Officer Tony West said in a statement Thursday that during his first week on the job in 2017 Uber publicly disclosed the incident.

"I am pleased that just a few months after announcing this incident, we have reached a speedy resolution with the FTC that holds Uber accountable for the mistakes of the past by imposing new requirements that reasonably fit the facts," West said.